JsTranslationBundle Security Release

Indeed, the locales parameter was not validated and thus it was possible to perform the following request:

http://localhost/translations?locales=randomstring/something

The file something.js was created in the subdirectory messages.randomstring of the cache directory, and this was a non-desired behavior. By doing this, it became possible to traverse down from the bundle's cache directory.

Depending on the configuration of the server, it was even possible to create or overwrite files in the web directory. Filtering the locales parameter mitigates this issue as well as the remote code injection one.

It was also possible to pass JavaScript code to the locales parameter, which was then injected into the generated JS files.